Skip to main content

vLLM CVE-2026-53923

MEDIUM
Information Exposure (CWE-200)
2026-06-17 https://github.com/vllm-project/vllm GHSA-5jv2-g5wq-cmr4
5.3
CVSS 4.0 · Vendor: https://github.com/vllm-project/vllm
Share

Severity by source

Vendor (https://github.com/vllm-project/vllm) PRIMARY
5.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.4 HIGH

Network delivery via crafted model file; operator must actively load it (UI:R); no attacker auth needed; scope change because leakage crosses tenant boundaries (S:C); high confidentiality impact from stale GPU memory exposure; no integrity or availability impact.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (https://github.com/vllm-project/vllm).

CVSS VectorVendor: https://github.com/vllm-project/vllm

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

3
CVSS changed
Jun 22, 2026 - 23:22 NVD
5.3 (MEDIUM)
Source Code Evidence Fetched
Jun 18, 2026 - 01:43 vuln.today
Analysis Generated
Jun 18, 2026 - 01:43 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 2 pypi packages depend on vllm (2 direct, 0 indirect)

Ecosystem-wide dependent count for version 0.5.5.

DescriptionCVE.org

Summary

Integer truncation of tensor dimensions in vLLM's GGUF dequantize kernels (csrc/quantization/gguf/gguf_kernel.cu) causes partial tensor processing. The output tensor is allocated at full size via torch::empty (uninitialized memory), but the dequantize CUDA kernel processes only a truncated number of elements. The unfilled portion of the output tensor retains whatever was previously in GPU memory. In multi-tenant inference deployments, this residual GPU memory may contain tensor data from other users' inference requests, constituting information disclosure.

Root Cause

The to_cuda_ggml_t function pointer type at ggml-common.h:1067 declares its element count parameter as int (32-bit):

cpp
using to_cuda_ggml_t = void (*)(const void * __restrict__ x,
                                dst_t * __restrict__ y,
                                int k,              // 32-bit
                                cudaStream_t stream);

All dequantize kernel functions (dequantize_block_cuda, dequantize_row_q2_K_cuda, etc. in dequantize.cuh) inherit this int k parameter and use it as the kernel launch grid size:

cpp
static void dequantize_block_cuda(..., const int k, cudaStream_t stream) {
    const int num_blocks = (k + 2*CUDA_DEQUANTIZE_BLOCK_SIZE - 1) / (2*CUDA_DEQUANTIZE_BLOCK_SIZE);
    dequantize_block<<<num_blocks, CUDA_DEQUANTIZE_BLOCK_SIZE, 0, stream>>>(vx, y, k);
}

In ggml_dequantize() at gguf_kernel.cu:85, the caller passes m * n (an int64_t product) to this int k parameter:

cpp
at::Tensor DW = torch::empty({m, n}, options);    // line 80: full-size, UNINITIALIZED
// ...
to_cuda((void*)W.data_ptr(), (scalar_t*)DW.data_ptr(), m * n, stream);  // line 85: m*n truncated to int

When m * n > INT_MAX, the truncated k is smaller than the actual tensor size. The kernel processes k elements. The remaining (m * n) - k elements in DW are never written and contain stale GPU memory.

This is a single root cause -- the int type on the k parameter in to_cuda_ggml_t -- with a single fix: change int k to int64_t k. All dequantize functions inherit this type through the same typedef.

Affected Functions

All in csrc/quantization/gguf/gguf_kernel.cu:

FunctionLineAllocationInfo Disclosure?
ggml_dequantize74torch::empty({m, n}) at line 80Yes -- m*n truncated to int k at line 85
ggml_mul_mat_vec_a891torch::empty({vecs, row}) at line 99Yes -- int col = X.sizes()[1] at line 94
ggml_mul_mat_a8207torch::empty({batch, row}) at line 215Yes -- int col = X.sizes()[1] at line 210
ggml_moe_a8279torch::empty({tokens*top_k, row}) at line 289Yes -- int col = X.sizes()[1] at line 285

All four functions allocate output tensors with torch::empty (uninitialized) and then run CUDA kernels that use truncated dimension values as loop bounds. The unfilled portion of each output tensor retains stale GPU memory.

ggml_moe_a8_vec (line 382) uses torch::zeros instead of torch::empty, so it is not affected by the info disclosure variant.

Impact: Information Disclosure in Multi-Tenant Serving

vLLM is designed for multi-tenant inference serving. GPU memory is reused across requests from different users. When the dequantize kernel partially fills an output tensor:

  1. The output tensor DW is allocated with torch::empty -- the buffer contains whatever was previously in that GPU memory region
  2. The dequantize kernel fills only a truncated portion of the buffer
  3. The unfilled portion retains residual data from prior GPU operations, which may include tensor data from other users' inference requests
  4. The contaminated tensor proceeds through the model computation
  5. No error or warning is generated -- the partial fill is silent

This is a confidentiality violation. In shared inference deployments (the primary vLLM use case), one user's inference data can leak into another user's model computation through residual GPU memory.

Attacker Control

The attacker crafts a GGUF model file with weight tensor dimensions whose product exceeds INT_MAX (e.g., a matrix with shape [65536, 65536] gives m * n = 4,294,967,296). The model is hosted on HuggingFace or any model hub. The victim loads the model with vLLM for inference serving. The truncation happens automatically during model weight dequantization.

Fix

A fix for this vulnerability was added here: https://github.com/vllm-project/vllm/pull/44971

AnalysisAI

Integer truncation in vLLM's GGUF dequantize CUDA kernels (csrc/quantization/gguf/gguf_kernel.cu) silently corrupts tensor dequantization for large weight matrices in multi-tenant inference deployments, enabling cross-tenant GPU memory disclosure. When a GGUF model's weight tensor dimensions have a product exceeding INT_MAX (2,147,483,647), the int64_t element count is silently truncated to a 32-bit int at the to_cuda_ggml_t call site, causing CUDA kernels to process only a subset of the allocated output tensor. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Craft GGUF model with tensor dims product > INT_MAX
Delivery
Host malicious model on public repository
Exploit
Victim operator loads model into vLLM
Install
Integer truncation silently reduces kernel element count
C2
CUDA kernel partially fills dequantized output tensor
Execute
Stale GPU memory from prior tenants populates tensor tail
Impact
Contaminated tensor processed through inference pipeline without detection

Vulnerability AssessmentAI

Exploitation Exploitation requires the target vLLM deployment to load a GGUF-format model file containing at least one weight tensor whose dimension product (m*n) exceeds 2,147,483,647. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment No CVSS score or EPSS probability was provided for CVE-2026-53923, requiring independent assessment of exploitation likelihood. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a GGUF model file containing a weight matrix with dimensions [65536, 65536], giving a total element count of 4,294,967,296 - just above INT_MAX. The attacker uploads this model to a public model hub such as HuggingFace with an innocuous name and description. …
Remediation The upstream fix is available in PR #44971 (https://github.com/vllm-project/vllm/pull/44971) and commit f219788f91952827132fa4fdf916427cd20d225e. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-53923 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy